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lAVE CLAIM: 

1. A method of determining rules to be applied to a data packet arriving at a 
first interface within a data packet router, comprising the steps of: 

a. associating at least two sets of rules with the first interface, at least 
one of the sets of rules being a shared set of rules also associated with 
a second interface; 

b. determining a key of the data packet; and 

c. searching the at least two sets of rules for at least one rule matching 
the key. 

2. The method of claim 1 wherein the step of associating at least two sets of 
rules with the first interface includes associating at least one set of rules 
with the first interface alone. 

3. The method of claim 1 wherein the data packet is an internet protocol (IP) 
packet, wherein the interface is located within a router, and wherein the 
step of associating at least two sets of rules with the first interface 
comprises associating at least two access control lists (ACLs) with the first 
interface. 

4. The method of claim 3 wherein each rule has an associated action, each 
associated action being one of packet denial, packet allowance, packet 
coimting, and packet copying. 

5. The method of claim 3 wherein the key is determined from information 
contained within a header of the IP packet. 
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6. The method of claim 5 wherein the information from which the key is 
determined includes at least one of an IP source address, an IP destination 
address, a protocol number, a Transmission Control Protocol/User 
Datagram Protocol (TCP/UDP) source port, a TCP/UDP destination port, 
and an Internet Control Message Protocol code. 

7. The method of claim 1 wherein the step of searching the at least two sets of 
rules comprises the steps of: 

a. determirung a priority order for the at least two sets of rules; and 

b. searching for a rule matching the key in the at least two sets of rules 
in an order matching the priority order. 

8. A method of providing security in a data packet router at which a data 
packet arrives at a first interface, comprising the steps of: 

a. associating at least two sets of rules with the first interface, at least 
one of the sets of rules being a shared set of rules also associated with 
a second interface, each rule in the at least two sets of rules having an 
associated action; 

b. determining a key of the data packet; 

c. searching the at least two sets of rules for at least one rule matching 
the key; and 

d. if at least one rule matching the key is found, applying the action 
associated with each of the at least one rule to the data packet. 

9. The method of claim 8 wherein the step of associating at least two sets of 
rules with the first interface includes associating at least one set of rules 
with the first interface alone. 



9 



137637 



10. The method of claim 8 wherein the data packet is an internet protocol (IP) 
packet, wherein the interface is located within a router, and wherein the 
step of associating at least two sets of niles with the first interface 
comprises associating at least two access control lists (ACLs) with the first 
interface. 

11. The method of claim 10 wherein each associated action is one of packet 
denial, packet allowance, packet coimting, and packet copying. 

12. The method of claim 10 wherein the key is determined from information 
contained within a header of the IP packet. 

13. The method of claim 12 wherein the information from which the key is 
determined includes at least one of an IP source address, an IP destination 
address, a protocol number, a Transmission Control Protocol/User 
Datagram Protocol (TCP/UDP) source port, a TCP/UDP destination port, 
and an Internet Control Message Protocol code. 

14. The method of claim 8 wherein the step of searching the at least two sets of 
rules comprises the steps of: 

a. determining a priority order for the at least two sets of rules; and 

b. searching for a rule matching the key in the at least two sets of rules 
in an order matching the priority order. 

15. A line card comprising: 

a. a first interface; 

b. a second interface; 

c. a first set of rules associated with at least the first interface; 

d. a second set of rules associated with the first interface and with the 
second interface; 
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e. means for searching the first set of rules and the second set of rules 
for at least one rule specific to individual data packets arriving at the 
first interface. 

16. The line card of claim 15 wherein the first set of rules and the second set of 
rules are Access Control Lists (ACLs). 

17. The line card of claim 15 v^herein the first set of rules is associated with 
only the first interface. 

18. The line card of claim 17 further comprising: 

a. a third interface; and 

b. a third set of rules associated with the first interface and with the 
second interface; 

and wherein the means for searching for at least one rule specific to 
individual data packets arriving at the first interface further comprises 
searching the third set of rules for such a rule. 

19. The line card of claim 15 further comprising means for associating the first 
set of rules and the second set of rules to the first interface according to a 
priority order, and wherein the means for searching for a rule comprises 
searching the first set of rules and the second set of rules in the order 
specified by the priority order. 

20. A packet switch comprising the line card of claim 15. 

21. A computer-readable medium including instructions for providing 
security in a data packet router at which a data packet arrives at a first 
interface, comprising: 
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instructions for associating at least two sets of rules with the first 
interface, at least one of the sets of rules being a shared set of rules 
also associated with a second interface, each rule in the at least two 
sets of rules having an associated action; 

instructions for determining a key of the data packet; 

instructions for searching the at least two sets of rules for at least one 
rule matching the key; and 

instructions for applying the action associated with each of the at least 
one rule to the data packet, in the event that at least one rule 
matching the key is found. 
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